To: 


Of: 


DATA PROTECTION ACT 1998 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


MONETARY PENALTY NOTICE 


Tested.Me Ltd 


Verulam Point, Station Way, St. Albans, Hertfordshire, England, 

AL1 5HE 

The Information Commissioner (“the Commissioner”) has decided to 
issue Tested.Me Ltd (“TML”) with a monetary penalty under section 55A 
of the Data Protection Act 1998 (“DPA 1998”).+ The penalty is in relation 
to a serious contravention of Regulation 22 of the Privacy and Electronic 
Communications (EC Directive) Regulations 2003 (“PECR”). 


This notice explains the Commissioner's decision. 

Legal framework 

TML, whose registered office is given above (Companies House 
Registration Number: 12699464) is the organisation stated in this notice 
to have instigated the transmission of unsolicited communications by 
means of email to individual subscribers for the purposes of direct 


marketing contrary to Regulation 22 of PECR. 


Regulation 22 of PECR states: 


1 The provisions of the Data Protection Act 1998 remain in force for the purposes of 
PECR notwithstanding the introduction of the Data Protection Act 2018 (see 
paragraph 58(1) of Part 9, Schedule 20 of the 2018 Act). 
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"“(1) This regulation applies to the transmission of unsolicited 


(2) 


(3) 


communications by means of electronic mail to individual 


subscribers. 


Except in the circumstances referred to in paragraph (3), a person 
shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 


sender. 


A person may send or instigate the sending of electronic mail for 


the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 


recipient; 


(b) the direct marketing is in respect of that person’s similar 


products and services only; and 


(c) the recipient has been given a simple means of refusing (free 
of charge except for the costs of the transmission of the 
refusal) the use of his contact details for the purposes of such 
direct marketing, at the time that the details were initially 
collected, and, where he did not initially refuse the use of the 


details, at the time of each subsequent communication. 


Information Commissioner's Office 


(4) A subscriber shall not permit his line to be used in contravention 


of paragraph (2).” 


Section 122(5) of the Data Protection Act 2018 (“DPA 2018”) defines 
direct marketing as “the communication (by whatever means) of 
advertising or marketing material which is directed to particular 
individuals”. This definition also applies for the purposes of PECR (see 
regulation 2(2) PECR and paragraphs 430 and 432(6) to Schedule 19 of 
the DPA18). 


Consent in PECR is defined, from 29 March 2019, by reference to the 
concept of consent in Regulation 2016/679 (“the GDPR”): regulation 8(2) 
of the Data Protection, Privacy and Electronic Communications 
(Amendments etc) (EU Exit) Regulations 2019. Article 4(11) of the GDPR 
as “any freely given, specific, informed and unambiguous indication of 
the data subject’s wishes by which he or she, by a statement or by a 
clear affirmative action, signifies agreement to the processing of 


personal data relating to him or her”. 


Recital 32 of the GDPR materially states that "When the processing has 
multiple purposes, consent should be given for all of them”. Recital 42 
materially provides that “For consent to be informed, the data subject 
should be aware at least of the identity of the controller”. Recital 43 
materially states that “Consent is presumed not to be freely given if it 
does not allow separate consent to be given to different personal data 


processing operations despite it being appropriate in the individual case”. 


“Individual” is defined in Regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals”. 
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9. A “subscriber” is defined in Regulation 2(1) of PECR as “a person who is 


a party to a contract with a provider of public electronic communications 


services for the supply of such services”. 


10. “Electronic mail” is defined in Regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 
communications network which can be stored in the network or in the 
recipient's terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 

11. Section 55A of the DPA 1998 (as amended by the Privacy and Electronic 
Communications (EC Directive)(Amendment) Regulations 2011 and the 
Privacy and Electronic Communications (Amendment) Regulations 2015) 


states: 


“1) The Commissioner may serve a person with a monetary penalty if 


the Commissioner is satisfied that - 

(a) there has been a serious contravention of the requirements 
of the Privacy and Electronic Communications (EC Directive) 
Regulations 2003 by the person, 

(b) subsection (2) or (3) applies. 

(2) This subsection applies if the contravention was deliberate. 


(3) This subsection applies if the person - 


(a) knew or ought to have known that there was a risk that the 


contravention would occur, but 


12. 


13. 


14. 


15. 


16. 


(b) failed to take reasonable steps to prevent the 


contravention.” 


The Data Protection (Monetary Penalties) (Maximum Penalty and 
Notices) Regulations 2010 prescribe that the amount of any penalty 


determined by the Commissioner must not exceed £500,000. 


The Commissioner has issued statutory guidance under section 55C(1) 
of the DPA 1998 about the issuing of monetary penalties that has been 
published on her website. 


PECR were enacted to protect the individual’s fundamental right to 
privacy in the electronic communications sector. PECR were 
subsequently amended and strengthened. The Commissioner will 
interpret PECR in a way which is consistent with the Regulations’ 
overall aim of ensuring high levels of protection for individuals’ privacy 


rights. 


The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the DPA18: see paragraph 58(1) of 
Schedule 20 to the DPA18. 


Background to the case 


TML provides digital ‘track-and-trace’ services to businesses. The need 
for such services has arisen during the Covid-19 pandemic because of 
requirements for businesses to keep records of individuals visiting their 
premises. TML’s services function by providing individuals with a QR 
code, which the individual then scans on arrival at a businesses’ 
premises, with the effect that their track-and-trace details are provided 


automatically. 
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TML was incorporated on 26 June 2020. There are currently 3 directors, 
all of whom were appointed on 26 June: Simon Miles Osman, Andrew 
Gordon Reid and Katherine Tracey Reid. Simon Osman and Andrew Reid 
are the directors of multiple other companies. The following professional 
biography for Simon Osman is found on the website 


comparetheloud.net: 


"Simon has over 15 years of entrepreneurial experience and always 
keeps his finger on the pulse of the IT industry. Prior to creating 
iFollowOffice, he founded parent company Viastak and successfully built 
and sold Evolution Voice & Data, a multi-million pound telco company. 
He was named in the Who’s Who of Young British Entrepreneurs between 
2008- 2010.” 


TML has been registered with the Information Commissioner’s Office 
(“ICO”) since 2 July 2020 (registration number ZA768744). 


TML first came to the Commissioner’s attention after an individual 
submitted a complaint to her regarding unsolicited email marketing on 6 
November 2020. The complaint concerned an email from TML regarding 
a “digital health passport”. The email thanked the individual for scanning 
into a business using TML’s QR code, and marketed an app which could 
be used to “register at open businesses using tested.me more quickly 
and securely, share your Covid-19 test results and track how you're 
feeling on a daily basis”. The individual stated that they did not consent 
to receiving this email and did not believe they had any relationship with 
TML. 


The Commissioner asked this complainant to provide further details of 

any complaint they had made to TML directly. This correspondence 

revealed that the individual would have signed up to marketing 
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communications on the online “Visitor Registration Form”, into which 
they entered their track-and-trace details. The consent wording on this 
form read: “Tick here if you agree for this venue, its alliance and 


tested.me to send you marketing materials in the future.” 


Below the consent wording was a disclaimer which stated: 


“To comply with Government Guidance during the Covid-19 pandemic, 
we are collecting your name and contact details. We will store these for 
21 days only before deleting them in line with GDPR regulations. Your 


details will not be shared with any other company or organisation.” 


Beyond this disclaimer, no further privacy information was provided. 


There was no link to a privacy notice. 


The only indication an individual had as to who operated the page was a 


small "tested.me” logo at the bottom of it. 


For the reasons set out below at paragraph 50, the Commissioner was 
concerned that consent obtained on the basis of this wording was 
inadequate. She therefore sent an initial investigation letter to TML on 9 
November 2020. This letter noted the Commissioner’s concerns, detailed 
her remit and powers, and asked TML various questions about its 


compliance with PECR. 


TML replied on 11 November 2020. This letter began by setting out a 
summary of TML’s service. TML explained that it provides software to 
businesses which allows TML to collect information on their visitors, 
namely: the name of the individual, time and date of visit, contact 
information, and (if applicable) TML app profile of the individual. That 
information is not visible to the business, but is stored by TML in case 


the NHS Test and Trace service requires it. TML also explained how its 
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“Digital Health Passport App” could be used to enable “frictionless” 


access by non-employees to business premises. 


TML provided its internal “Data Protection Policy”, which covers 
requirements imposed by the GDPR and DPA 2018. This policy sets out 
definitions of key terms, the data protection principles, details TML’s 
basis for processing, and its data protection obligations. The Data 
Protection Policy does not refer to direct marketing or the PECR. The 
policy does, however, include a detailed consideration of what is meant 


by “consent”. This reads, so far as material: 


“Consent must be explicit and freely given, specific, informed and 


unambiguous indication of the data subjects wishes. 


Consent must be given with a clear affirmative action on the part of the 


data subject, as such pre-ticked boxes will not be used. 


Consent will only be taken as given if it understood that the data subject 
is fully informed on the intended purpose for the processing. Consent 
will not have been obtained if it been obtained under duress or by 


misleading information about the purpose of the processing.” 


TML provided a summary of the marketing messages it had sent over 
the period 26 June 2020 to 09 November 2020. This consisted of 4 
emails. Following further consideration by the Commissioner, including 
of material provided by TML in further correspondence, she concluded 
that emails (1) and (2) did not raise any concerns under PECR. The 
remainder of this Notice is therefore only concerned with emails (3) and 


(4). 


TML stated that email (3) was sent on 11 September 2020 to 54,675 
individuals who had filled out the Visitor Registration Form and had 
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ticked the marketing consent form referred to at paragraph 19 above. 


The email sought to market TML’s “Digital Health Passport App” in the 


following terms (emphasis in original): 
“Introducing your digital health passport 


Thanks for recently scanning in at a tested.me venue! We're excited to 
share that our digital health passport app is now live, keeping you safe 


when you go out in your community. 


With the tested.me app, you can register at tested.me venues more 
quickly and securely, share your Covid-19 test results, track how you're 
feeling on a daily basis and continue helping your local businesses stay 


open responsibly. 


Get your tested.me digital health passport, today. It's free, 
completely secure and is becoming widely used as a symbol of 


confidence and trust. 
Easily scan to register at tested.me venues 


With the tested.me app on your phone, you can scan in and register at 
tested.me venues quicker than before. You'll no longer need to fill out 
your details on a form, just scan and agree to share! The tested.me 


app is a frictionless way to support your local businesses. ...” 


TML explained that, in response to this email, it had received 13 emails 
from individuals requesting to be removed from its marketing 


database. 


30. 


31. 
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34. 
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Email (4) was sent to individuals who had filled out the Visitor 
Registration Form and had ticked the marketing consent form referred 
to at paragraph 19 above after the sending of email (3). TML stated 
that this email was sent on 5 November 2020 to 14,951 individuals. 


The email sought to market TML’s “Digital Health Passport App” and 


was worded in very similar terms to email (3). 


TML highlighted a technical issue with email (4): that individuals who 
had opted out of marketing communications following receipt of email 
(3) would not have been opted out of email (4) if they had filled out 
the Visitor Registration Form for a second time following the initial opt- 
out and ticked the marketing consent box. TML explained this was 
because such individuals’ data had been deleted, rather than being 
added to a suppression list. TML explained that this error led to a 
further complaint by an individual who had sought to opt-out following 


receipt of email (3). 


TML also explained that they had previously misunderstood requests 
from individuals to no longer receive marketing communications as 
requests to delete personal data held about those individuals. Those 
affected by this error included the individual who had complained to 
the ICO. 


TML explained that personal data in relation to emails (3) and (4) was 
collected when individuals ticked the marketing consent box on the 
Visitor Registration Form. No data was said to have been purchased 


from third parties. 


TML stated that, at the point an individual filled out the online Visitor 
Registration Form, they were provided with a privacy notice “as 


featured on our website”. 
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The Commissioner is satisfied that the “Privacy Notice” provided by 

TML is relatively detailed and clear in explaining what data is collected 

and how, how the personal data is used, and rights which individuals 

have in relation to their data. However, the part of the Privacy Notice 

on direct marketing by TML is brief, and states only that "We strive to 

provide you with choices regarding certain personal data uses, 


particularly around marketing and advertising.” 


TML explained that it provides data protection training and that all staff 


members had completed this. 


TML provided, in addition to its Privacy Policy, a “data privacy white 
paper” and a “special category information policy”. Neither document 
refers to direct marketing or PECR. However, the former document 


does provide the following wording on the need for valid consent: 


“The meaning of consent under GDPR is very specific and can only be 
considered valid if it is; specific, unambiguous, freely given and is a 


positive action to show the wishes of the data subject. 


Tested.me ensures that a compliance privacy notice is shown when 
collecting consent from a data subject. The method of collecting 
consent should require a positive action of the data subject to show 


their wishes; we do this by: 


e From email - An unambiguous statement showing consent in 


response to the privacy notice.” 


The Commissioner wrote again to TML on 11 November 2020 to 
request further information. TML responded on 12 November 2020. 
This response confirmed that the Visitor Registration Form provided by 


the complainant (as set out at paragraph 19 above) was the same form 
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40. 


TML used more widely. TML also explained that, at this date, it had 


facilitated around 200,000 check-ins at business venues. 


The Commissioner sent a further email to TML on 13 November 2020. 


TML replied on 16 November 2020. This response: 


a. Confirmed that, despite what TML had stated in its 11 
November 2020 response (see paragraph 33 above), its 
Privacy Notice was not provided to individuals at the point 
they opted-in to marketing communications. The only 
information provided at this stage was the disclaimer (referred 
to at paragraph 20 above) informing individuals their data 
would be deleted after 21 days. 


b. TML also provided the open, click and bounce rates for each 


email. For emails (3) and (4), these figures are: 


Email no. Times sent Connected Opened 


3 55,968 54,675 31,534 
4 29,912 29,229 15,847 
Total 85,880 83,904 47,381 


The Commissioner noted that the numbers provided by TML at this 
stage differed from the numbers first provided by TML in its 11 
November 2020 response (see paragraphs 27 and 29 above). It was 
clear that, for email (3), TML had provided the number of connected 
emails, rather than the total emails sent. However, the inconsistency 
between the numbers for email (4) were not immediately obvious. The 
Commissioner therefore sent a request for clarification to TML on 18 
November 2020. 
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45. 
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48. 


TML replied on 19 November 2020, explaining that it had made an 
error when collating the initial figure for email (4), and that the emails 


in the table above were the correct figures. 
An end of investigation letter was sent to TML on 20 November 2020. 


In conclusion, the Commissioner is satisfied that TML sent 85,880 


marketing emails, of which 83,904 were delivered. 


The Commissioner has made the above findings of fact on the 


balance of probabilities. 


The Commissioner has considered whether those facts constitute 

a contravention of Regulation 22 of PECR by TML and, if so, whether 
the conditions of section 55A DPA 1998 (as extended and modified by 
PECR) are satisfied. 


The contravention 


The Commissioner finds that TML contravened Regulation 22 of PECR. 


The Commissioner finds that the contravention was as follows: 


Between 11 September 2020 and 5 November 2020, TML sent 83,904 
emails which were received by subscribers. The Commissioner is 
satisfied that these emails constituted “direct marketing” as defined by 
section 122(5) of the DPA 2018 because both emails sought to 
encourage individuals to download and make use of, and to promote 
more generally, TML’s “Digital Health Passport App”. The Commissioner 
finds that each of these emails were sent by TML contrary to 
Regulation 22 of PECR. 
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TML, when it transmitted marketing emails, was required to ensure 
that it was acting in compliance with the requirements of Regulation 22 


of PECR, and to ensure that valid consent to send those messages had 


been acquired. 


The Commissioner finds that the consent provided by recipients of these 
emails was invalid because, contrary to Article 4(11) of the GDPR, it was 


not "freely given, specific, [and] informed”. Specifically: 


a. Consent was not “informed” because inadequate information 
was provided about the identity of TML and the venue in 
question's “alliance”. Beyond a small "tested.me” logo at the 
bottom of the Visitor Registration Form, no information was 
provided about who TML is and what activities it engages in. It 
is also unclear which specific entities are part of a venue’s 


“alliance”. 


b. Consent was not “informed” because the Visitor Registration 


Form did not contain any link to TML’s Privacy Notice. 


c. Consent was not "freely given” or “specific” because it was 
insufficiently granular. Individuals could only consent to 
receiving “marketing materials” from “this venue, its alliance 
and tested.me”. Instead, TML was required to unbundle this 
consent wording into its separate purposes; for example, by 
allowing individuals to consent only to receiving marketing 


materials from TML. 


d. Consent was not "freely given” or “specific” because the 
Visitor Registration Form referred to “marketing materials”, 


instead of allowing individuals to consent to marketing 
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communications by specific channels (e.g. by email or by 


telephone). 


The Commissioner is therefore satisfied from the evidence she has 
seen that TML did not have the necessary valid consent for the 83,904 


direct marketing messages received by subscribers. 


The Commissioner has gone on to consider whether the conditions 
under section 55A DPA 1998 (as extended and modified by PECR) are 


met. 


Seriousness of the contravention 


The Commissioner is satisfied that the contravention identified 

above was serious. This is because, between 11 September 2020 and 5 
November 2020, TML sent a confirmed total of 83,904 direct marketing 
messages which were received by subscribers. These messages 
contained direct marketing material for which subscribers had not 


provided adequate consent. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A(1) DPA 1998 (as extended and modified by PECR) is met. 


Deliberate or negligent contraventions 


The Commissioner does not consider that TML deliberately set out to 


contravene PECR in this instance. 


The Commissioner has gone on to consider whether the contravention 
identified above was negligent. This consideration comprises two 


elements: 
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First, she has considered whether TML knew or ought reasonably to 
have known that there was a risk that these contraventions would 
occur. She is satisfied that this condition is met for the following 


reasons: 


a. During the period in question, TML sent 85,880 direct 
marketing promoting the “Digital Health Passport App” to 
subscribers. It can be inferred from this that such emails were 
an important part of TML’s strategy of encouraging uptake of 
the app. As such, TML should reasonably have sought to 


familiarise itself with the relevant statutory regime. 


b. It is clear from its Privacy Notice, Data Protection Policy, “data 
privacy white paper” and “special category information policy”, 
as well as the provision of data protection training for staff, 
that TML had sought to acquaint itself with its privacy and 
data protection obligations. In particular, TML’s Data 
Protection Policy and “data privacy white paper” both contain 


detailed consideration of the requirements for valid consent. 


c. The fact that TML received various complaints from individuals 
who were sent the two direct marketing emails in question 
should have alerted it to the fact that these emails were not in 


accordance with PECR. 


d. Mr Osman, one of TML’s directors, appears to have significant 
experience of running businesses in the technology sector. It 
was reasonable to expect him to be aware of TML’s obligations 
under PECR. 
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e. TML had been registered with the ICO since 2 July 2020. The 

Commissioner has published detailed guidance for 

organisations carrying out direct marketing which explains 

their legal obligations under PECR. This guidance gives clear 

advice regarding the requirements of consent for direct 

marketing and explains the circumstances under which 

organisations are able to carry out marketing by email. In 

particular it states that organisations can generally only send, 

or instigate, marketing emails to individuals if that person has 

specifically consented to receiving them. The Commissioner 

has also published detailed guidance on consent under the 

GDPR. In case organisations remain unclear on their 

obligations, the ICO operates a telephone helpline. ICO 

communications about previous enforcement action where 

businesses have not complied with PECR are also readily 


available. 


It is therefore reasonable to suppose that TML should have been aware 


of its responsibilities in this area. 


Secondly, the Commissioner has gone on to consider whether TML 
failed to take reasonable steps to prevent the contraventions. Again, 


she is satisfied that this condition is met. 


Reasonable steps in these circumstances may, in particular, have 


included a combination of the following: 


a. Ensuring that the consent wording used on the Visitor 
Registration Form was consistent with internal policies; in 
particular, its Data Protection Policy and “data privacy white 
paper”, both of which considered in detail the necessary 


elements of valid consent. 
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b. Consulting ICO guidance and/or the ICO telephone helpline to 


ensure its marketing policy was compliant with PECR. 


c. Meaningfully reviewing its approach to marketing following the 


receipt of complaints. 


In the circumstances, the Commissioner is satisfied that TML failed to 


take reasonable steps to prevent the contraventions. 


The Commissioner is therefore satisfied that condition (b) from section 
55A(1) DPA 1998 (as extended and modified by PECR) is met. 


The Commissioner's decision to issue a monetary penalty 


The Commissioner has also taken into account the following 


aggravating feature of this case: 


TML has shown that it had knowledge of many of the obligations 
imposed on it by data protection law, and was registered with the ICO. 
An organisation in its position should have made itself aware of 
relevant ICO guidance and, if in any doubt as to its obligations under 


PECR, made use of the ICO’s telephone helpline. 


The Commissioner has also taken into account the following mitigating 


features of this case: 


TML stopped sending marketing emails as soon as the Commissioner 


communicated her concerns in this regard. 


TML, as well as its 3 directors, do not have any previous history of 
having breached PECR, or data protection law more generally. 
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For the reasons explained above, the Commissioner is satisfied that the 
conditions from section 55A (1) DPA have been met in this case. She is 
also satisfied that the procedural rights under section 55B have been 


complied with. 


The latter has included the issuing of a Notice of Intent, in which the 
Commissioner set out her preliminary thinking. In view of the current 
pandemic, TML had previously agreed to accept email service of any 
Notices, and the Commissioner has a delivery receipt confirming 
service of the Notice of Intent on 31 March 2021. TML later confirmed 
receipt of service of the Notice of Intent by email of 21 April 2021. The 


Commissioner received no representations from TML. 


The Commissioner is accordingly entitled to issue a monetary penalty 


in this case. 


The Commissioner has considered whether, in the circumstances, she 


should exercise her discretion so as to issue a monetary penalty. 


The Commissioner has considered the likely impact of a monetary 
penalty on TML. As TML was incorporated in June 2020, there is no 
financial information currently available to her. TML was invited to 
provide financial representations in response to the Notice of Intent, 
but failed to do so. The Commissioner considers in the circumstances 


that a penalty remains the appropriate course of action. 


The Commissioner’s underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The sending of 
unsolicited marketing emails is a matter of significant public concern. A 


monetary penalty in this case should act as a general encouragement 
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towards compliance with the law, or at least as a deterrent against 
non-compliance, on the part of all persons running businesses currently 
engaging in these practices. The issuing of a monetary penalty will 


reinforce the need for businesses to ensure that they are only 


messaging those who specifically consent to receive marketing. 


The Commissioner has also taken into account that the provision of 
digital track-and-trace services is an emerging area of business 
activity, that individuals are often under a legal requirement to provide 
contact details when accessing venues, and that there is significant 
scope for other providers of such services to send unsolicited direct 
marketing communications in the future. The Commissioner considers 
that imposing a monetary penalty notice will serve as a deterrent to 


other existing or future digital track-and-trace providers. 


For these reasons, the Commissioner has decided to issue a monetary 


penalty in this case. 


The amount of the penalty 


Taking into account all of the above, the Commissioner has decided 
that a penalty in the sum of £8,000 (Eight thousand pounds) is 
reasonable and proportionate given the particular facts of the case and 


the underlying objective in imposing the penalty. 
Conclusion 


The monetary penalty must be paid to the Commissioner's office by 
BACS transfer or cheque by 08 June 2021 at the latest. The monetary 
penalty is not kept by the Commissioner but will be paid into the 
Consolidated Fund which is the Government’s general bank account at 
the Bank of England. 
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If the Commissioner receives full payment of the monetary penalty by 

07 June 2021 the Commissioner will reduce the monetary penalty by 

20% to £6,400 (six thousand and four hundred pounds). 

However, you should be aware that the early payment discount is not 


available if you decide to exercise your right of appeal. 


There is a right of appeal to the First-tier Tribunal (Information Rights) 


against: 


(a) the imposition of the monetary penalty 
and/or; 
(b) the amount of the penalty specified in the monetary penalty 


notice. 


Any notice of appeal should be received by the Tribunal within 28 days 


of the date of this monetary penalty notice. 
Information about appeals is set out in Annex 1. 


The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary 
penalty must be paid has expired and all or any of the monetary 


penalty has not been paid; 


e all relevant appeals against the monetary penalty notice and any 


variation of it have either been decided or withdrawn; and 


e the period for appealing against the monetary penalty and any 


variation of it has expired. 
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80. In England, Wales and Northern Ireland, the monetary penalty is 
recoverable by Order of the County Court or the High Court. In 
Scotland, the monetary penalty can be enforced in the same manner as 


an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 
Dated the 10th day of May 2021 


Andy Curry 

Head of Investigations 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 55B(5) of the Data Protection Act 1998 gives any person 
upon whom a monetary penalty notice has been served a right of 
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’ 


against the notice. 
2. If you decide to appeal and if the Tribunal considers:- 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of 
discretion by the Commissioner, that she ought to have exercised 


her discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3. You may bring an appeal by serving a notice of appeal on the 


Tribunal at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LEi 8DJ 
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Information Commissioner's Office 


Telephone: 0300 123 4504 
Email: grc@justice.gov.uk 


a) The notice of appeal should be sent so it is received by the 


Tribunal within 28 days of the date of the notice. 

b) If your notice of appeal is late the Tribunal will not admit it 
unless the Tribunal has extended the time for complying with this 
rule. 


The notice of appeal should state:- 


a) your name and address/name and address of your 


representative (if any); 


b) an address where documents may be sent or delivered to 


you; 

c) the name and address of the Information Commissioner; 
d) details of the decision to which the proceedings relate; 
e) the result that you are seeking; 

f) the grounds on which you rely; 


g) you must provide with the notice of appeal a copy of the 


monetary penalty notice or variation notice; 


h) if you have exceeded the time limit mentioned above the 


notice of appeal must include a request for an extension of time 
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and the reason why the notice of appeal was not provided in 


time. 


5: Before deciding whether or not to appeal you may wish to consult 
your solicitor or another adviser. At the hearing of an appeal a party 
may conduct his case himself or may be represented by any person 


whom he may appoint for that purpose. 


6. The statutory provisions concerning appeals to the First-tier Tribunal 
(Information Rights) are contained in section 55B(5) of, and Schedule 6 to, 
the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) 
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 
1976 (L.20)). 
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